Apple iPhone 5s TouchID and Exchange ActiveSync (updated)

Just today I was curious how the Apple biometric convenience solution TouchID on the iPhone 5s would impact password policies enforced by Exchange ActiveSync(EAS).

I frequently run into complaints from Android users who previously used a Pattern Lock instead of a PIN to unlock their phones. When my EAS policy sets specific password requirements, the Pattern Lock is replaced by the phone OS to the more traditional PIN (or alphanumeric password) unlock. Unfortunately, for those users, there is no Pattern Unlock support in EAS. Would this also be the case with TouchID in iOS 7 as it has no explicit support for these biometric features?

As I don’t own an iPhone 5s (Lumia 920 FTW! ) I’ve asked around on Twitter and got some feedback on this subject (read the whole Twitter thread) and a link to a MacRumors forum discussion (here). It seems as if TouchID is an overlay for any PIN requirement, users claim to have EAS policies with specific password requirements and certain lock-times. They now only have the TouchID interface, which unlocks the phone after said lock-times. It appears that after a successful TouchID identification, it would then answer the password challenge. Basically, TouchID replaces any complex password policy set by ActiveSync (confirmed by The UC Architects fellow John A. Cook). There appears to be a requirement to enter the PIN after starting the phone for the first time, and when you don’t unlock the phone for 48 hours, but besides that it’s TouchID only. And how many times do you restart your phone or leave it alone for two days?

What then? Well, those on Exchange Server 2010 or 2013 (on-prem or hosted via Office 365) can block or quarantine iOS 7 with ABQ as I wrote in a recent post. But, as TouchID is currently only available on the iPhone 5s, that would block a lot of devices that don’t have this biometric feature and potential security issue. It’s more of a hardware/device issue than a software issue. The alternative would be to block DeviceModel, it seems the iPhone 5 (Either S, C or both. Unfortunately I cannot check this at the moment) has a DeviceModel value of iPhone5C2. Something like this would quarantine these devices :

For most organizations this TouchID hack is possibly a non-issue. For instance, there are still a lot of Exchange organizations without any EAS password policies. But for those that are very security minded or have certain legal requirements, the ABQ feature in Exchange can be very helpful in this case.

P.s. Feel free to leave DeviceModel values in the comments, if yours vary from mine.

The iOS7 fingerprint reader is not supported as a device password. If
you enable the fingerprint reader to secure your iOS7 device, you will
still need to create and enter a password if your mobile device mailbox
policies require a password.

The language is a little bit confusing as experiences show that the password is needed only once after booting. After that FingerprintID is sufficient. I think the point they are trying to make is that even though TouchID is present and used, you still need to set a password if the policy requires it. Thanks to Exchange MVP and The UCArchitects fellow Paul Cunningham for the catch!